Data protection legislation asks for a different approach to vendor management. As controllers are liable for what their processors do with their customers’ and employees’ personal data, the controller should take action to ensure the processor is in compliance with the applicable legislation. A vendor management strategy is key to minimize data privacy and security risks.
Read our best practices to vendor management under data protection legislation in this blog.
Vendor management must be qualified as a lifecycle. As data protection needs to be integrated into your processing activities and business practices, according to the concept of data protection by design, make sure to integrate it into the vendor management lifecycle. This lifecycle starts with the vendor selection process. Take data protection into account early on in the procurement process, by performing due diligence. Create screening questions for potential vendors to assess their competence in supporting compliance with data protection legislation. Include in the checklist data protection by design and default adherence as well as risk exposure. Make procurement employees aware of data protection aspects in the procurement process. In addition to screening questions, the potential vendor might be able to demonstrate its’ competence by providing certifications and audit reports. Also consider requesting a DPIA (data protection impact assessment) of certain vendors.
Often, data protection obligations are only considered late in the procurement process, resulting in a surprise for vendors and, not uncommon, a delay in the signing process.
After selecting the vendor, parties need to agree upon appropriate contract terms. Usually, so called ‘data processing agreements’ are signed which include clauses on roles and responsibilities, categories of processed data by the processor, retention periods, data breach notification, data deletion and so forth. Include in the data processing agreement an overview of the vendor’s obligations regarding technical and organizational measures or perform a check on the vendor’s security measures to ensure these are in line with your organization’s standards. Be aware of topics which usually cause lengthy contract negotiations; 1) audit costs (is the controller paying for the processor executing an audit or not?). 2) liability (referring to liability in the original contract or agree on different liability terms?). 3) Periods of responding by the processor in case of a data breach or a data subject executing his rights.
Agree upon appropriate data protection contract terms before initiating the processing activities.
The contract has been signed, this is when the service period officially starts. Limit personal data sharing and access to personal data by the vendor to the minimum necessary for performing the agreed services. Monitor the service of the processor to ensure it is processing personal data in conformity with the contract and with applicable data protection legislation. Processor audits are a monitoring method through which the processor is asked to prove he processes personal data in compliance with the law. Assess the results and take appropriate follow up actions.
Regularly, data controllers do not monitor their processors during the service period. Processor audits are an appropriate monitoring tool.
When the contract with a service provider is terminated the controller must, depending on the circumstances, make sure that personal data is deleted by the processor after the agreed period of time. Deletion of data should be stipulated in the data processing contract. Request the service provider for a proof of deletion to ensure the data has been deleted.
Summary – what to remember:
- Involve data protection in procurement & train these people.
- Focus on the 3 hurdles in a DPA (don’t make the terms too strict to avoid unnecessary discussions).
- Perform audits to check continued compliance with data protection requirements.
- Upon contract termination request a proof of deletion.